extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-30 17:39:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update the release documents

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6045 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-04-21 15:07:16 +00:00
parent dd17469dff
commit 960acb414e
2 changed files with 155 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-common/changelog.txt
View File

@ -1,6 +1,8 @@
Changes in 3.9.4 Changes in 3.9.4
1) Fix port 0 problem (again!) 1) Fix port 0 problem (again!).
2) Fix log_martians.
Changes in 3.9.3 Changes in 3.9.3

122
Shorewall-common/releasenotes.txt
View File

@ -72,32 +72,32 @@ rewrite of the compiler in Perl.
I decided to make Shorewall-perl a separate product for several reasons: I decided to make Shorewall-perl a separate product for several reasons:
a) Embedded applications are unlikely to adopt Shorewall-perl; even Mini-Perl a) Embedded applications are unlikely to adopt Shorewall-perl; even
has a substantial disk and Ram footprint. Mini-Perl has a substantial disk and Ram footprint.
b) Because of the gross incompatibilities between the new compiler and the b) Because of the gross incompatibilities between the new compiler and the
old (see below), migration to the new compiler must be voluntary. old (see below), migration to the new compiler must be voluntary.
c) By allowing Shorewall-perl to co-exist with the current Shorewall stable c) By allowing Shorewall-perl to co-exist with the current
release (3.4), I'm hoping that the new compiler will get more testing and Shorewall stable release (3.4), I'm hoping that the new compiler
validation than it would if I were to package it with a new development will get more testing and validation than it would if I were to
version of Shorewall itself. package it with a new development version of Shorewall itself.
d) Along the same vein, I think that users will be more likely to experiment d) Along the same vein, I think that users will be more likely to
with the new compiler if they can easily fall back to the old one if things experiment with the new compiler if they can easily fall back to
get sticky. the old one if things get sticky.
---------------------------------------------------------------------------- ------------------------------------------------------------------------
T H E G O O D N E W S: T H E G O O D N E W S:
---------------------------------------------------------------------------- ------------------------------------------------------------------------
a) The compiler has a small disk footprint. a) The compiler has a small disk footprint.
b) The compiler is very fast. b) The compiler is very fast.
c) The compiler generates a firewall script that uses iptables-restore; c) The compiler generates a firewall script that uses iptables-restore;
so the script is very fast. so the script is very fast.
d) Use of the perl compiler is optional! The old slow clunky d) Use of the perl compiler is optional! The old slow clunky
Bourne-shell compiler is still available. Bourne-shell compiler is still available.
---------------------------------------------------------------------------- ------------------------------------------------------------------------
T H E B A D N E W S: T H E B A D N E W S:
---------------------------------------------------------------------------- ------------------------------------------------------------------------
There are a number of incompatibilities between the Perl-based compiler There are a number of incompatibilities between the Perl-based compiler
and the Bourne-shell one. Some of these will probably go away by first and the Bourne-shell one. Some of these will probably go away by first
official release but most will not. official release but most will not.
@ -147,8 +147,8 @@ e) Because the compiler is now written in Perl, your compile-time
Where Where
<the rule> is a scalar argument holding the rule text. Do not <the rule> is a scalar argument holding the rule text. Do
include "-A <chain name>" not include "-A <chain name>"
Example: Example:
@ -161,12 +161,12 @@ e) Because the compiler is now written in Perl, your compile-time
The log_rule_limit function works like it does in the shell The log_rule_limit function works like it does in the shell
compiler with two exceptions: compiler with two exceptions:
- You pass the chain reference rather than the name of the - You pass the chain reference rather than the name of
chain. the chain.
- The commands are 'add' and 'insert' rather than '-A' and - The commands are 'add' and 'insert' rather than '-A'
'-I'. and '-I'.
- There is only a single "pass as-is to iptables" argument - There is only a single "pass as-is to iptables"
(so you must quote that part). argument (so you must quote that part).
Example: Example:
@ -182,15 +182,15 @@ e) Because the compiler is now written in Perl, your compile-time
f) The 'refresh' command is now synonymous with 'restart'. f) The 'refresh' command is now synonymous with 'restart'.
g) Some run-time scripts will need to be changed to write their g) Some run-time scripts will need to be changed to write their
iptables commands to file descriptor 3 in iptables-restore format iptables commands to file descriptor 3 in iptables-restore
rather than running those commands. format rather than running those commands.
maclog maclog
Details to follow. Details to follow.
Some run-time scripts are simply eliminated because they no longer Some run-time scripts are simply eliminated because they no
make any sense under Shorewall-perl: longer make any sense under Shorewall-perl:
initdone - The these two scripts assumed a model where the initdone - The these two scripts assumed a model where the
continue chains were built in parallel. In the continue chains were built in parallel. In the
@ -200,8 +200,9 @@ g) Some run-time scripts will need to be changed to write their
refresh - The 'refresh' command is the same as 'restart' refresh - The 'refresh' command is the same as 'restart'
refreshed refreshed
h) The /etc/shorewall/tos file now has zone-independent SOURCE and DEST h) The /etc/shorewall/tos file now has zone-independent SOURCE and
columns as do all other files except the rules and policy files. DEST columns as do all other files except the rules and policy
files.
The SOURCE column may be one of the following: The SOURCE column may be one of the following:
@ -210,24 +211,26 @@ h) The /etc/shorewall/tos file now has zone-independent SOURCE and DEST
$FW[:<address>[,...]] $FW[:<address>[,...]]
The DEST column may be one of the following: The DEST column may be one of the following:
[all:]<address>[,...] [all:]<address>[,...]
[all:]<interface>[:<address>[,...]] [all:]<interface>[:<address>[,...]]
This is a permanent change. The old zone-based rules have never This is a permanent change. The old zone-based rules have never
worked right and this is a good time to replace them. I've tried to worked right and this is a good time to replace them. I've tried
make the new syntax cover the most common cases without requiring to make the new syntax cover the most common cases without
change to existing files. In particular, it will handle the tos file requiring change to existing files. In particular, it will
released with Shorewall 1.4 and earlier. handle the tos file released with Shorewall 1.4 and earlier.
i) Currently, support for ipsets is untested. That will change with i) Currently, support for ipsets is untested. That will change with
future pre-releases but one thing is certain -- Shorewall is now out future pre-releases but one thing is certain -- Shorewall is now
of the ipset load/reload business. With scripts generated by the out of the ipset load/reload business. With scripts generated by
Perl-based Compiler, the Netfilter ruleset is never cleared. That the Perl-based Compiler, the Netfilter ruleset is never
means that there is no opportunity for Shorewall to load/reload your cleared. That means that there is no opportunity for Shorewall
ipsets since that cannot be done while there are any current rules to load/reload your ipsets since that cannot be done while there
using ipsets. are any current rules using ipsets.
So: So:
i) Your ipsets must be loaded before Shorewall starts. You i) Your ipsets must be loaded before Shorewall starts. You
are free to try to do that with the following code in are free to try to do that with the following code in
/etc/shorewall/start: /etc/shorewall/start:
@ -247,33 +250,34 @@ i) Currently, support for ipsets is untested. That will change with
'shorewall stop' - 'shorewall start' sequence if you 'shorewall stop' - 'shorewall start' sequence if you
use ipsets in your routestopped file (see below). use ipsets in your routestopped file (see below).
ii) Your ipsets may not be reloaded until Shorewall is stopped or ii) Your ipsets may not be reloaded until Shorewall is stopped
cleared. or cleared.
iii) If you specify ipsets in your routestopped file then iii) If you specify ipsets in your routestopped file then
Shorewall must be cleared in order to reload your ipsets. Shorewall must be cleared in order to reload your ipsets.
As a consequence, scripts generated by the Perl-based compiler will As a consequence, scripts generated by the Perl-based compiler
ignore /etc/shorewall/ipsets and will issue a warning if you set will ignore /etc/shorewall/ipsets and will issue a warning if
SAVE_IPSETS=Yes in shorewall.conf. you set SAVE_IPSETS=Yes in shorewall.conf.
j) Because the configuration files (with the exception of j) Because the configuration files (with the exception of
/etc/shorewall/params) are now processed by the Perl-based compiler /etc/shorewall/params) are now processed by the Perl-based
rather than by the shell, only the basic forms of Shell expansion compiler rather than by the shell, only the basic forms of Shell
($variable and ${variable}) are supported. The more exotic forms expansion ($variable and ${variable}) are supported. The more
such as ${variable:=default} are not supported. Both variables exotic forms such as ${variable:=default} are not
defined in /etc/shorewall/params and environmental variables supported. Both variables defined in /etc/shorewall/params and
(exported by the shell) can be used in configuration files. environmental variables (exported by the shell) can be used in
configuration files.
h) USE_ACTIONS=No is not supported. That option is intended to minimize h) USE_ACTIONS=No is not supported. That option is intended to
Shorewall's footprint in embedded applications. As a consequence, minimize Shorewall's footprint in embedded applications. As a
Default Macros are not supported. consequence, Default Macros are not supported.
i) DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is i) DELAYBLACKLISTLOAD=Yes is not supported. The entire ruleset is
atomically loaded with one execution of iptables-restore. atomically loaded with one execution of iptables-restore.
j) MAPOLDACTIONS=Yes is not supported. People should have converted to j) MAPOLDACTIONS=Yes is not supported. People should have converted
using macros by now. to using macros by now.
k) The pre Shorewall-3.0 format of the zones file is not supported; k) The pre Shorewall-3.0 format of the zones file is not supported;
neither is the /etc/shorewall/ipsec file. neither is the /etc/shorewall/ipsec file.
@ -342,6 +346,18 @@ used when you compile from that directory.
If you only install one compiler, it is suggested that you do not set If you only install one compiler, it is suggested that you do not set
SHOREWALL_COMPILER. SHOREWALL_COMPILER.
If you install Shorewall-perl under Shorewall 3.9.2 or later, you can
select the compiler to use on the command line using the 'C option:
'-C shell' means use the shell compiler
'-C perl' means use the perl compiler
The -C option overrides the setting in shorewall.conf.
Example:
shorewall restart -C perl
Regardless of the setting of SHOREWALL_COMPILER, there is one change in Regardless of the setting of SHOREWALL_COMPILER, there is one change in
Shorewall operation that is triggered simply by installing Shorewall operation that is triggered simply by installing
shorewall-perl. Your params file will be processed during compilation shorewall-perl. Your params file will be processed during compilation